In the SmartConsole connected to the Primary server, create a network object to represent the Secondary Security Management Server. Then synchronize the Primary with the Secondary.

To configure the secondary server in SmartConsole:

1. Open SmartConsole.
2. In Object Categories, click New > More > Network Object > Gateways and Servers > Check Point Host.
3. On the General Properties page, enter a unique name and IP address for the server.

   Note: Do not initialize SIC at this time.

4. In the Software Blades, section, select the Management tab.
5. Select Network Policy Management.

   This automatically selects the Secondary Server, Logging and Status, and Provisioning.

6. Create SIC trust between the Secondary Security Management Server and the Primary:
   1. Click Communication.
   2. Enter the SIC Activation Key of the secondary server.
   3. Click Initialize.
   4. Click Close.
7. Click OK.
8. Click Publish to save these session changes to the database.

   On publish, the databases of the primary and secondary server synchronize and continue to synchronize every three minutes.

9. Wait for the Task List in the System Information Area to show that a full sync has completed.
10. Open the High Availability Status window and make sure there is one active server and one standby.

The Active server periodically sends the latest changes to the standby server or servers. Active and Standby servers also synchronize when you publish a session.

When changes made in private sessions are published on the active server (made public) the changes are copied to the standby servers. During failover, all public and private sessions are copied from the active to the standby before the standby becomes active.

The High Availability status window shows this information about synchronization between the active and standby servers:

• Name, status, and actions of the connected server
• Names, statuses, and actions of peers

Status messages can be general, or apply to a specified active or standby server. General messages show in the yellow overview banner.

General Status messages in overview banner	Description
Synchronized	The database of the primary Security Management Server is identical with the database of the secondary.
Some servers could not be synchronized	A communication issue prevents synchronization, or some other synchronization issue exists.
No HA	The active and standby servers are not communicating.
Communication Problem	The fwm service is down or cannot be reached.
Collision or HA conflict	More than one management server configured as active. Two active servers cannot sync with each other.

When connected to a specified active management server:

Status window area:	Specified Status Messages	Description
Connected to:	Active	SmartConsole is connected to the active management server.
Peers	Standby	The peer is in standby. The message can also show: Sync problem, last time sync Ok, last sync time: <time> Last sync failed: <date> Error, partial error No SIC
	Not communicating, last sync time
	Active	A state of collision exists between two servers both defined as active.

When connected to a specified standby management server:

Status window area:	Specified Status Messages	Description
Connected to:	Standby	The message also shows: last sync time.
Peers	Active	The peer is in standby. The message can also show: No communication, last sync time OK, last sync time: <time> Sync problem, last sync time (in any direction)
	Standby/Master unknown	The message can also show: no communication.

Failover between the primary (active) and secondary (standby) management server is not automatic. If the Active fails or it is necessary to change the Active to a Standby, you must do so manually. The two servers synchronize before failover to the new active server. After the failover, you cannot use the former active server to make changes.

If the Active Security Management Server is responsive:

In the High Availability status window, change the active server to standby or the standby to active.

Published database changes are synchronized from the Active to the Standby server. This happens every 1 to 5 minutes, and when an administrator publishes. When the administrator initiates failover, all public sessions are synchronized from the new Active to the new Standby server after the Standby becomes Active. Data from the new Active overrides the data on the new Standby. Unpublished changes are not synchronized.

Best Practice - We recommend that you publish changes before initiating a failover to the Standby.

To change the status of a server:

1. Open SmartConsole.
2. Connect to the Active server.
3. On the Menu button, select High Availability.

   The High Availability Status window opens.

4. Using the Action buttons, Change the Active server to standby, or one of the standby servers to active.

These error messages show in the High Availability Status window when synchronization fails:

No SIC

Solution:

1. Open the Properties window of the Security Management Server.
2. On the General Properties page, click Test SIC Status.
3. Follow the instructions in the SIC Status window.

Not communicating

Solution:

1. From the main SmartConsole menu, select Management High Availability.

   The High Availability Status window opens.

2. For the active server, click Actions > Sync now.

Collision or HA Conflict

More than one management server is configured as active. Solution:

1. From the main SmartConsole menu, select Management High Availability.

   The High Availability Status window opens.

2. Use the Actions button to set one of the active servers to standby.

In a multi-domain environment, the Multi-Domain Servers work in active-active mode. All Multi-Domain Servers are active and synchronize each other.

The Domains managed by the Multi-Domain Server work in active-standby mode, where the Active Domain Server synchronizes all the standby Domain Servers.

The system automatically synchronizes periodically and when an administrator publishes changes to the configuration.

When you create a new secondary Multi-Domain Server, the Internal Certificate Authority (ICA) on the Primary Multi-Domain Server generates a certificate when you establish SIC trust. The ICA can generate a certificate for a new administrator, if required by the authentication method. In a High Availability deployment with more than one Multi-Domain Server, the system synchronizes the ICA databases as necessary.

You can manually synchronize the connected Multi-Domain Server with a peer Multi-Domain Server.

To manually synchronize Multi-Domain Servers:

1. Click the Synchronization Status area at the bottom of the SmartConsole window.
2. In the High Availability Status window, select a peer Multi-Domain Server to synchronize.
3. Click Sync Peer.

Synchronization starts immediately and the status shows in the window. The synchronization operation can take many minutes to complete.

Warning: Use manual synchronization with caution. This can overwrite all data on the peer Multi-Domain Server if they do not synchronize correctly.

You can manually synchronization a Standby Domain Management Server with the Active Domain Management Server on a different Multi-Domain Server.

To manually synchronize Domain Management Servers for a Domain:

1. Open SmartConsole for the active Domain Management Server.
2. Click Menu > High Availability.
3. In the High Availability Status window, click Actions > Sync Peer.

Synchronization starts immediately and the status shows in the window. The synchronization operation can take many minutes to complete.